A voice of reason in a world of FUD

Menu

We all face it at some point in our career. You are tasked with securing “x” and the business doesn’t want you doing your job. Sure they may put on a smile when audit or compliance are in the room but when they are alone in their office or in their team meetings they are stabbing a voodoo doll that resembles you or you walk in on a dart game where the board has been covered by your picture. They stall, delay, ignore and fight your every request. They build cases to support their argument that security is a burden to them getting their work done. Each scenario plays out a bit differently but in the end they are all the same. Security is not wanted.

I’ve worked in a few places where I security wasn’t wanted. We were there because someone said we had to be. It may have been regulators, auditors, compliance departments, a governing body for the industry, or the parent company or business itself required that we be there. But the particular business you support (or the business as a whole) wants nothing to do with you. That is frustrating for someone who believes strongly in the value of security to an organization. It’s tough to get up day after day and make the trek into the office when you know that you are going to be ignored and have to fight for every inch of ground that you gain. After several days like this the little bit of ground that you gain doesn’t give you the warm fuzzies that you would hope to get after a hard day’s work.

So what do you do? How do you keep your sanity and remain civil to your friends and family? How do you deal with this? How do you get your job done while facing constant opposition? Better yet how do you work through the situation and hopefully change some mind s and get the business on board with you?

In many cases you are going to have to start with changing the way security is viewed by the business. Usually, and unfortunately, security is often known for saying “no”, slowing down productivity, delaying product launch, impacting usability, and “keeping me from updating my Facebook status with my lunch choice for today” . This doesn’t set well with our customers (the business) for lots of reasons.
1. They are the customer and the customer is always right.
2. Their job is to produce and security hinders production.
3. They are tasked with fiscal responsibility and security is seen as being a cost center with little
to no return or value
4. Their job is to keep employee moral up and security hinders that.

Let’s look at each of these and see what we can do to effect real change that will improve our image and relationship with the business.

They are the customer and the customer is always right.
At least that is how they see it and we should let them believe it. Actually we need to act as if it is true. In reality it isn’t true anymore for its than it is for anyone else. Yet the principle behind it is very important in keeping the customer happy. Our mindset should be “if they want it then we will make it happen”. That doesn’t mean that they get what they want exactly. It means that we work with them to find a solution that will meet their needs and keep it secure. The days of saying no are behind us and we have to change the negative image that we have because of those days. If you are supporting a business that has never had security work with them then the first time you do this you may have to make sure you have smelling salts with you. If you take”no” out of your vocabulary and work to make things happen you will be amazed at how quickly the business starts to change their attitude towards security.

Their job is to produce and security hinders production.
One of the biggest complaints that I hear about security initiatives is that they often slow down the release cycle of products and programs. Sometimes there is not a whole lot that we can do about this especially early on. In today’s world we can’t ignore the need to implement security but we also can’t rush into it headfirst work little to no reward for how it impacts the work that the business is tasked to do. (Wow! That hurt to write that) One of the best things that we can do to minimize the negative impacts here is to make sure that we communicate with the business as to what is being done, why it’s happening, how it will benefit them (this one can be a tough sell), and what you are doing to make this as painless as possible. It’s also important not to have a “grin and bear it” attitude. If you can get good data that will show how the slowdown should only be temporary that will also be a big plus. Many times the problems caused by security programs will either go away or at least be reduced over time as people get used to the new processes and learn how to work with the security program.

They are tasked with fiscal responsibility and security is seen as being a cost center with little to no return or value
Don’t worry, I’m not going down the security ROI path with this one. As with most everything coast goes down over time so your job is to show the business how you too are being fiscally responsible. Be open with them about how cost and expenses rise and fall. Don’t ask them to find something without having a clear plan that shows them the cost and benefit aspects. Have plan A, B, and C when you need something new. Shot for the stars but be willing to settle for less. Also don’t come to them with a proposal that is stupid expensive when times are tough. You should never go to them unprepared. Remember they are business people not technology people and they want a business case not cool, flashy lights.

Their job is to keep employee moral up and security hinders that.
In this area there are several things that we can do to improve our image.
° Follow all of your policies. If they see you on Facebook when everyone else is blocked you will be vilified and your credibility will be damaged.
°Don’t block access to websites and technology without a good reason. There are few reasons and cases where complete exile from”non-business” sites is necessary so don’t do it just because you can.
°Expect everyone, including executives, to follow policies.
°Don’t deploy security that makes it too difficult for employees to do their job.
°Expect (read – demand) your employees to answer questions, work to solve problems, not say no, and do it all with a smile and an attitude that lets the customer know that they are not being a “stupid user”, even if they are. We all have our “stupid user” areas. Imagine how you would feel if you were expected to do something that you knew nothing about.

That does it. If you are tasked with making the business like you hopefully this will help. If you have been through this before, or are going through it now, please feel free to leave comments with what did and didn’t work for you.

Like this:

Related

2 thoughts on “Dealing with a business that doesn’t want you.”

Andy, great points and advice! While many decisions makers are great at thinking tactically, from a strategy point of view, there might be a shortage in the industry. We would just like to add that we believe it’s time decision makers understand that although security might seem like an expense, on the long run, it is actually an investment which will prevent their businesses from losing money in the future.

Andy, you express very well the difficulty of ‘imposing’ security on organizations. We find that it all comes down to people. Any security program is only as good as the people using it. The old ‘scare em first’ method is often helpful. In today’s world it isn’t difficult to find examples of costly security breaches to soften the resistance. Keep up the good work.